Resubmissions
08/04/2024, 12:28
240408-pnlb2acd6t 1008/03/2024, 09:07
240308-k3bc6abc69 1023/03/2023, 01:50
230323-b89y8scg82 10Analysis
-
max time kernel
298s -
max time network
312s -
platform
android_x64 -
resource
android-x64-20240221-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240221-enlocale:en-usos:android-10-x64system -
submitted
08/04/2024, 12:28
Static task
static1
Behavioral task
behavioral1
Sample
376d13affcbfc5d5358d39aba16b814f711f2e81632059a4bce5af060e038ea4.apk
Resource
android-x64-20240221-en
Behavioral task
behavioral2
Sample
376d13affcbfc5d5358d39aba16b814f711f2e81632059a4bce5af060e038ea4.apk
Resource
android-x64-arm64-20240221-en
Behavioral task
behavioral3
Sample
376d13affcbfc5d5358d39aba16b814f711f2e81632059a4bce5af060e038ea4.apk
Resource
android-33-x64-arm64-20240229-en
Behavioral task
behavioral4
Sample
376d13affcbfc5d5358d39aba16b814f711f2e81632059a4bce5af060e038ea4.apk
Resource
android-x86-arm-20240221-en
General
-
Target
376d13affcbfc5d5358d39aba16b814f711f2e81632059a4bce5af060e038ea4.apk
-
Size
4.6MB
-
MD5
d4c6871dbd078685cb138a499113d280
-
SHA1
60b64c8481f9de5b92634efc70a9ff42f451c78f
-
SHA256
376d13affcbfc5d5358d39aba16b814f711f2e81632059a4bce5af060e038ea4
-
SHA512
e8823b7c73140af88ad6fd8c52a6619d245281170ddb31feb9d4e726ee47a8f34575f687048947272fabfb13dbed2c24f50d6fbd6117d40c1db577305955af59
-
SSDEEP
98304:M0C+HR25SOeU0lhoBenZFOw2QxW74PNTcG/bZ7vf0sc:jCmtO/07oEOw2QU74PNT9/t7nc
Malware Config
Extracted
nexus
http://193.42.32.84/
http://193.42.32.87/
Signatures
-
Nexus
Nexus is an Android banking trojan related to the SOVA banking trojan.
-
Makes use of the framework's Accessibility service 2 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.help.marine Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.help.marine -
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
description ioc Process File opened for read /proc/cpuinfo com.help.marine -
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
description ioc Process File opened for read /proc/meminfo com.help.marine -
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.help.marine/app_DynamicOptDex/nx.json 5091 com.help.marine -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.help.marine -
Queries account information for other applications stored on the device. 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccounts com.help.marine -
Reads the contacts stored on the device. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://com.android.contacts/contacts com.help.marine -
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.help.marine -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com
Processes
-
com.help.marine1⤵
- Makes use of the framework's Accessibility service
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries account information for other applications stored on the device.
- Reads the contacts stored on the device.
- Acquires the wake lock
PID:5091
Network
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD5cf9772416a747ac509ec2970cb9c9e74
SHA1128bcf36307203dbb198d45c3560f30cd63bbd8d
SHA2566e9478358dbfbefe00e28c9bf85255a8706873479cf8f0746a2246bbbab03c04
SHA5129f0789d68ba6143d289a066db215a06b64adafa7967bd6915516f12ee416a02cb70bb52dc6cef945ed8965640e8d969093b33c2ce0fc35c480b9cfc57c8da014
-
Filesize
2.2MB
MD5dd644c0a66a11feb4a0d086916d77d42
SHA106c009c8e0e9258ab46348573a8023ba2a17086d
SHA25612d162274020d3a09c7921c34ab8461a1a2a562667feb79f4ab222813b7e6b43
SHA512f8978a8486d094b33024c0c4d40dd1eca425ab66ed6fe6423e176cb5edb2e38007410b47010c3e3f5edf6a3229f8ef4e61bbb991bd213d52ca8afc49492b4ddc
-
Filesize
3KB
MD5135bb70f918b5ccc6e851ff9b34196ac
SHA10f9245370eb02f50075e8e4d567c6fb409b3baea
SHA256ffeb085898f521515e6862e17e4fe34b95d058b9611b3cf745f086e1760bba6e
SHA5126dc833918ad77fcab0ff121bdb219a5f6edc9f865c75ea700f9e76a8c46ed631c268bcb2342126090c5f103c85011e69368eb3f8369c2894697ce7252b58d43d
-
Filesize
3KB
MD50a78a2ba223c91db77c74041568d4b67
SHA1e99cdc25b69306d3cb758587fb775e8f482c617a
SHA25607fa6936ee3a63299c25d95e8d231c34454e12a55b757561eeb5496efa6fc69d
SHA51253a1d6a1e60711ab028c11c562b098b1f8629e7b4c151868916c5ab4090b523a6942f29e257c6aabf8a67e88ab2eb587d44887a8efa551255b8055a99079f565
-
Filesize
3KB
MD57353ec65b41da4a9ad55c30645052ac2
SHA17cb05339c1f74481b16dc7c500c1afa8db40504b
SHA256c5b605f1c80d5aec415da4bd5e215a5b8509a30595810c1dfc456742e03225df
SHA51269a429c89404aa63f12a1c40e400b9b1a8a0cd8d7b8247d051bac6a05d2bbadc292b50c109230293497900833e820357ece5c6387cd0b830b03cb9f088e3b9c5
-
Filesize
3KB
MD51d8a2cb556be6d9bd0405fb7bb6a7b5a
SHA16b560d58a1da8d50d2ea6bad21859cf9da48d4ef
SHA256eec6ffa9fcc6b4aeccd827ade69d79ae3638109568121cab548416a2e3a37a94
SHA512665dcbf7709d2090dbdeb55675acc5562ddd2b4605adbca4e87950b9194a746880884ae77696d26115ba49e6ff11ee5987a011e141b1e79ed5edb2e640ed1c3b
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD568c356e522b70c6793e156d38bf419f6
SHA1b34f4f79638873d8cd616e2483a8b58852a218ac
SHA256629351d3b8e451abe95a6df4c1627204738e1be872c61ecd1d0183950b8f5177
SHA512f1ee9e48723b01d9c4f126e2477f3cb55a5e6e67956c3661805a839de998c02f2ea7d12e52855195b34e4d91e2a8a391cccf9b22394f73df546bfc6008c369f5
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD53e0088f686cea884da433aab30748e91
SHA14094a6ea62a189cf14e27be62607512e0c11766f
SHA25677d1b222f5fbe59f67a18356bc0985de0dc8632e2982acf4d528915f09a5b5d1
SHA5122a5c83db2a2a835ed516de6399a0bd4a93117c444dfffbf9a518387431a967f9bd0ed87c14794ba10188adcb9a9da137e922ea9a0cd43afa52670ba949ea472e
-
Filesize
108KB
MD5a4a9ba8f54cff90361c90bf09a4653cc
SHA1fd6591798a57b46dc6a7876b15b5326449a3397b
SHA2565c8105419aebc9a85002ec24197aac515e8526664e26637efdfe7ddb8dd97b28
SHA512fd234eb728d6b46dc6467a566c41cd8471599e367d86bec97c4a833af4a9c4aefb08eb6837055351a0cdaa91008ce686aff5967bed04ab6fa16ab2d0e5bc07cf
-
Filesize
229KB
MD52fbf450e223c6d8bf98a8ccd917e284a
SHA115bf93b4057544873e0d2b280f0c4f53182c7a10
SHA256349268cea2426a0e711d31e576d40cb828dc53f2fe1c982d84c90676df8576c5
SHA512fba34b5253e9dc7bf0ee8561ebe6f8a58cb8ed28c0b17c814e5017bfa1a802d7cb0a225907a4dd6453953cc1deb110b379abd02e5da2d91879d4e606dbfeb04f
-
Filesize
6.1MB
MD5781a5fd150ae010085b1e7ff4501a0f4
SHA1bfbe600cec76f9f00f02a6f0eca5f4bbd5eb1e71
SHA2569ae5523ea2a7080ac97ef5443bf4b781f775c67fefaec687e58b5b983caf3146
SHA512d5dafba7a47802f4312d03557c428e4834d1ca02f0e49f60bb59873ca674deb7be340cb6d0a714295c29894746512869d480da21ab3862eeb27fee9265a98bde